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1.1 HPE 























RURL JG T FIAT RETT: 

















Console, Telnet, SSH (1.x Hk 2.0, 2.0 Jg T. x JTE, PDM AY http FK C7. x JKA ASDM) 
Al VMS DI Firewall Management Center. 























ZO A Rom Monitor R. BURG D Cd RH N Ed, SCF Help, History Hop Zar h D 
ANE. 








VE: Catalyst6500 DÉI FWSM 4 17388 





Weg 








ZORA, i FT CLI ap SEA: 








Switch# session slot slot processor 1 (FWSM HTÆ slot 3) 


HIPS: 
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Firewall? JH DR. MLA enable HARREI Firewal 1#. RAK PH EIE AS S WA. TE 6. x 
PI BHO S AE — NE EN PIET, V7. x DUS SUI TOS SSA Se Je PO S MA HIH AZ HU T R G8 
w exit, ctrl-z BH] ERRIN. 












































NRI, 
































TE JR fr SB IO no RI GL AGM dn Z. Show running-config KK write terminal BR ABE. 7.x 
Jå FJ LIA show run Wap 46 ETR MVE. Show running-config all = MAMEA, OE 
HH. Tab UA Far SHE, ctrl-l UA Nr coe IG Gå HHT RR H A Se e 
KLM U TT RL DEN), help fll history WHIT I0S SÆ. 



















































































RED 









































Show fr xd begin, include, exclude, grep Ju MFK dot Hr OM ar HU ETT ul, 








| 








Terminal width fød H TEN m EARN TEE, REN 80 SE, pager nn Z HH T E eA ik zs 
BER RAT EG GRAN 2447, pager lines 0 fr ST AX RT WA CX. 





























1.2 Bi Joi vr n] sr ea 
































D Js EU. POLE a TR. JEGER show version $4 n] DÆ S TSC HEART: 


























Unrestricted (UR) PrA NR] R TRE AHMAR, TH ZT Failover 


























Restricted (R) H-S AR fo VER Hp Z we D SCH PR, ACRE Failover 





























Failover (FO) ANAG HARE HAD AGE. H 96 HHT Failover 























G 











Failover-Active/Active (FO-AA) AeA UR ZEAL A ÅRG bot 





FAA, %XH active/active failover 




















ik: FWSM NS UR YE RJ, 

















activation-key fød HHH SR A HTH. TEH NVE serial number 4X (show version T 
HAWS) , 6.x Jg 1658, 7.x 23 20 FÅ. 











1.8 MÆRE 

















BRA EH ds — FE HI USER] setup HEAT ol d H ASB 
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vB 


2.1 REED 





BE ET: 














D; RE BE TRD AO S TE D ZAR, ED P HE CT. x Tp Z PVO) MY SER. rot 
DFE yee ty DL REECH (vlan) , JA 6.3 HC?1t;/SPAN>trunk, (AR ZF 802. 10 H3, 
ACE DTP BM o 





























































































































BDÆKEE: 
VE: TF FWSM Ar AE D Z Ae ED, BF VE vlan RENE vlanid. tin FWSM AF 6500 AY 
HE, RAS MED, KUIS T vlan 100, 200, 300. 









































Switch (config)H firewall vlan-group 1 100, 200, 300 


Switch(config)# firewall module 3 vlan-group 1 











Switch(config)# exit 


Switch& session slot 3 processor 1 











z JEU ES ERE NIH vlan100. vlan200, v1an300 











PIX rs 














Firewall (config)# interface hardware-id [hardware-speed] [shutdown]  (Hardware-id n ZL D 











show version KA) 











PIX TeX 
Firewall (config)# interface hardware-id 


Firewall(config-if)& speed {auto | 10 | 100 | nonegotiate) 


Firewall(config-if)& duplex {auto | full | half} 











Firewall(config-if)& [no] shutdown 











fir A 





FWSM 2. x 


PTT met ipie D 1 D] E] D] NO O ww sant ongi t. con 





U D D 0 D D 0 YT] D 0 3660 





Firewall (config)# nameif vlan-id if name securitylevel 


PIX 6.x 


Firewall(config)& nameif (hardware-id | vlan-id) if name securitylevel 


PIX (ix 


Firewall (config)# interface hardware id[. subinterface] 


Firewall (config-if)# nameif if name 


Firewall (config-if)# security-level level 


























iE: Pix 7.x T FWSM 2. x FRASEN FEN HAAR security level, FIERA RA ME 


same-security-traffic permit inter-interface fir. 











an 




















Bog IP Hk 




















BH: Firewall(config)& ip address if name ip address [netmask] 





zHhhb: Firewall(config)& ip address outside dhcp [setroute] [retry retry cnt] 











TE: setroute SRC Din ZE A DHCP ARS di AA HS H, Fn A IE an Z n] renew Hk. 









































PPPOE: Firewall (config)# vpdn username JohnDoe password JDsecret 


Firewall (config)# vpdn group ISP1 localname JohnDoe 


Firewall (config)# vpdn group ISP1 ppp authentication chap 


Firewall (config)# vpdn group ISP1 request dialout pppoe 





Firewall (config)# ip address outside pppoe setroute 





DE 











Firewall# show ip 








IPv6 MAER CT. x ee 





























GU 














ARP fic 

















HOS — NSM ARP AH: Firewall(config)& arp if name ip address mac address [alias] 
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BOS timeout Ifa]: Firewall (config)# arp timeout seconds MBA 4 NIH 



























































TE: BIR TL RS clear arp ii É& n ARP RT, TREE XT NAAE (HJT DIESEL PE 
Dit, WS NASA, MAA HA ip I— MER mac HHL, ØVE no Ta n SS SUPER 


XLT arp KH» 


















































MTU #4) Be 









































BOS MTU: Firewall (config)# mtu if name bytes Td DH show mtu (6.3) HL show running-config 
mtu (7. x) KISHE 





4 Ek (fragment) Y Lr am: PRAE enn BOX Firewall (config)# fragment size 


database-limit [if name] 





PR till REA ELA ER Firewall (config)# fragment chain chain-limit [if name] 


p da] — AE ET ESSI ABE] Firewall (config)# fragment timeout seconds [if name] 





Wo EO ARE) CT. x IRE) 





























2.2 KEM 


EF PRF Bir (CHp HC HR) Firewall(config)& ip verify reverse-path interface if name 




















DO En DS (H Firewall (config)# route if name ip address netmask gateway ip [metric] 
































AUT RIP är (vl, v2) Firewall(config)tripif name passive [versionl] Firewall(config)t 


rip if name passive version 2 [authentication [text | md5 key (key id)]]) 














Bie Aik A Firewall (config)# rip if name default version [1 | 2 [authentication 
[text | md5 key key id]] 














fic S OSPF 























cE X. OSPF IER Firewall (config)# router ospf pid 








JE EH It IW ZS BI) OSPF XK Firewall (config-router)# network ip address netmask area area id 


nye: 4E X Router ID Firewall (config-router)# router-id ip address 








ids OSPF 4B RRA rr Firewall (config-router)# log-adj-changes [detail] 
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JAH OSPF S 3A uE Firewall(config-router)& area area id authentication [message-digest] 
BAA Firewall (config-router)# default-information originate [always] [metric 


value] [metric-type (1 | 2}] [route-map name] Hi OSPF S% Firewall(config-router)& timers 





{spf spf delay spf holdtime |lsa-group-pacing seconds} 


2.3 DHCP 





NO S Eg DHCP Server: 














NO S HR Hz Firewall(config)& dhepd address ipll-ip2] if name (GRE 256 DAF ii) 























NG å DHCP S% Firewall (config)# dhepd dns dnsl [dns2] Firewall(config)& dhepd wins winsl 








[wins2] Firewall(config)tt dhcpd domain domain name Firewall(config)& dhcpd lease 


lease length Firewall(config)t dhcpd ping timeout timeout 


JH DHCP HRS Firewall(config)& dhcpd enable if name 





uk: show dhedp, show dhcpd bindings, show dhepd statistics 








NO E DHCP PAE: 

















4E XV ÅSE DHCP Server Firewall(config)tt dhcprelay server dhcp server ip server ifc (EZ 4 
A 
NW 


tp zR ZS Firewall(config)H dheprelay timeout seconds Firewall (config)# dhcprelay setroute 


client ifc 


HAH Ha Firewall (config)# dhcprelay enable client ifc 





ik show dhcprelay statistics 


2.4 BEND 


ELG 
=. MARE 


3.1 (#1 Security Context 7 EMI KK 7.x REED 


























REEMA: M PIX7.0 H FWSM 2.2(1)F 4R; PI DAAE ERA — 1 B5 JC RC BLUR Z e UL D AEG 
^ri hém context, hr B; Jib EE nh ERE: single-context fll multiple-context, 4b 
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FEAT MEBERG: system execution space( HIRA context HIRE, 
H XE XE Pr AT), administrative context (AH RE LØLAND AR) RI user contexts (Ji 30 t RAY 
BIER, BUG BOS h AAS ANER) 




























































































NS. HID show activation-key Km 0 multiple-context DIr nl, aM mode multiple 
All mode single fir SIX PY T GN Ia) ET Hap, 42 HT CL ID show mode REME T ETE A 

Rist Bo ZEA |] context PHT DE Firewall# changeto (system | context name), FHF ATA HY 

context Hz X HND iE system execution space F, Hr LÆR Sb fH] changeto system E A. EL, 

Firewall(config)# context name TZ HE PE Be D H A context E R EER REA AE TEAR ai context 
KHR zs HH 0 TE D, Mini e H SI Firewall(config-ctx)# allocate-interface physical-interface 

































































T 



































































































































[map-name] bel X context D startup-config IJ ££ Xv. & Firewall(config-ctx)# config-url un Hit 




















show context JF 








DI 


ik: CABE T TETE multiple-context KT, admin context W HÆ RX. (show context Je UE 








— 
































FAT Å context SEI see AVR, br DE IST context AY yess Bo 





H X. class Firewall(config)t class name % Ja Firewall(config-class)# limit-resource all 








number% Firewall(config-class)& limit-resource [rate] resource name number/%] T ai MN BE 
context WS F Firewall(config-ctx) member c/ass 





iS DLK nn Se show class, show resource allocation, show resource usage $F 








ik: BK telnet, ssh, IPsec 5 sessions, MAC address 65535 # A 














3.2 f 38 Flash x fF AR 


6.x XC fF REC 








RATCHET LRE] Flash, RAMHEBARARS, KA 





RAM 





























OOS fi (8% 1 FSH 2 VPN MZEE 3 PDM SI 4 HRS 50 gc X 








show flashfs gr flash XT 


7.x HI FWSM JR St 


























7.x All FWSM :8(& IOS WHA, AA BRAS, SUMUS LEH, 7.x EH flash TE 
Flash LRA, FWSM SY 514: Å] flash:/ (Kiu disk: (KLE Scr) 
















































































FIF ZUR AUR HI2S Unix WHS, Fr VÅRT MERE T SU HI an SJØER RRE: 























dir pwd cd more delete copy rename mkdir rmdir format erase fsck(f & xc fF Zs Zi se SE pt) 
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6.x Œ Flash Hm HSR TE VASER, 7.x MÆRE I pn HR AEE Firewall(config)# boot 


system flash: //ename KERA ERRER, show bootvar 4T IUE 











& 


OS TSR ULB Se 


3.3 FAMEN 
































7.0 Wa nup DER E 19 SC EL TE Firewall(config) boot config Au 




















MIRA ans B Firewall# show startup-config Firewall# show configuration (6.x Jy show 

















configure) 











INS 4 AUC ECVE write memory, copy running-config startup-config, write net 
[[server-(p-address/ [filename] (7.x th 3c Er copy £ tftp) 




















Fifi] standby [Frå CIE write standby WIRA SIAE write erase 































































































TEI DEE TD 4 RLE XE configure memory M Web & A BIS xc TE configure 
http[s]://[user:password )]location[:port]/ http-pathname (7.x XF copy EIU EYR) 









































IPA S HED Å nn 














Firewall(config)# auto-update device-id (hardware-serial | hostname | 
ipaddress Lë name] | mac-address A7 name] | string fex? 

Firewall(config)# auto-update server http[s]://username.password(Q/ 
AUSserver-/P-address[portiautoupdate/AutoUpdateServlet 


[verify-certificate] 


3.4 SE HAH 














Firewall(config)# console timeout minutes WS console ZS xe fus] (MH 0 FEAT) 


























FRA outside sig D W telnet, Jå H telnet Firewall(config)# telnet Jo address netmask 














/f name  Firewall(config)£ telnet timeout minutes RO S telnet H IT 





























Jå H SSH ROB 


























HÆR RSA 226%} Firewall(config)# domain-name name Firewall(config) ca generate rsa key 




















[modulus] (7.x Tb crypto key generate rsa general-keys [modulus modulus]) Firewall(config)# ca 
save all (7.x AIEE) 
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fii] show ca mypubkey rsa ZA DEZ a show crypto key mypubkey rsa) ca zeroize rsa RRA% 








REX (7.x crypto key zeroize rsa default) 


JARI ssh i Firewall(config) ssh ip address netmask if name 





ssh version MA n] LX ssh Ii. ssh timeout jE X EERTE [i] 











PDM/ASDM fil å 












































HH PDM Frid Be,» BrELA mE E DD, ASDM A Firewall(config)# asdm image 
device:/path KH EGO A, WRA LEH copy MARZA GAS BLE Vi Ta YE OT Firewall# http 
ip address subnet mask if name å HTTP JH Firewall# http server enable få 
https://ip-address/admin XV Ù] . 






































Banner BUS Firewall(config)# banner (exec | login | motd} text X} banner Fir, AREA no 3k 
IKR, HU clear banner X "RATA Å banner (7.0 clear configure banner? 















































Wee Eg: who Hits telnet 214 kill telnet-id KER Si, show ssh sessions 51? ssh 218, ssh 














disconnect session-id "ët ssh & tå, show pdm sessions 1547 pdm 2214, pdm disconnect session-id 


B pdm Zi 











e 








3.5 ABH Ja Al A ioe 





iti (EA reload mm JR AS, M 7.0 DUR RENE MINE] E £4: Firewall# reload at hh:mm 
[month day | day month] [max-hold-time {minutes | hhh:mmj] [noconfirm] [quick] [save-config] 





[reason text] sk HAN — E AY EN EJ IE] bi Ja Firewal reload in (minutes | hh:mm} [max-hold-time 
(minutes | hhh:mm)] [noconfirm] [quick] [save-config] [reason text] 




















Ja Hiis EE, Firewall(config)# crashinfo save enable (7.0 no crashinfo save disable) show 
crashinfo TZ Hiis E clear crashinfo MAE D (FWSM fs HH crashdump ) 























3.6 SNMP x ft 























AH SNMP fii. Firewall(config)# snmp-server location string (contact string) 
SNMP iJe] Firewall(config)# snmp-server host if name ip addr [poll | trap] 


Firewall(config)# snmp-server community key 
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DU. APER 


4.1 AA EE 


























ik: HAT PUGEH DA C password, FEI HZ HH PR HP Ue enalbe 1,7 ssh Tid 
Ft HH D AE pix, AH password JE UE. 












































JER ÆTT NO S Firewall(config) (password | passwd} password [encrypted] (T & YR 2z f 
cisco HH clear (password | passwd)) 




















T AEN Firewall(config)t enable password [pw] [level priv level] [encrypted] 

















4.2 ABE PEE EH) 














XH Firewall(config)# username username [{nopassword | password password} 





[encrypted]] privilege level 


Ja HH c HLL UE Firewall(config) aaa authentication {serial | telnet | ssh | http) console LOCAL 





























YE: ebe BUR ct e: DO enable password EX, BORER BAGER HI enable RENE 
BUSCA. ME PRAT AGAR, BP HH EAR AG. xx B tur DER ASHE enable 
Aik (aaa authentication enable console LOCAL), HH fit Hj username password DIE A 

enable, HH P enable 4:19 vr. Jf d lin ze 4 PE. 
















































































G 


























ARIEL: Firewall(config)# aaa authorization command LOCAL 














NOS ar RB: Firewall(config)# privilege {show | clear | configure} level level [mode (enable 








| configure)] command command 




















ft Hl show privilege KF SRI di SDK FØRT. x fi H] show run all privilege) 








4.3 ED AAA ARS SORTES DH D 


4E X. AAA IRS S8 Fl i. Firewall(config)# aaa-server server tag protocol {tacacs+ | radius} (7.x 
iA kerberos,ldap,nt,sdi Mix ff] 3c fr) 


MASSA Firewall(config)# aaa-server server tag [(if name)] host server ip [key] [timeout 
seconds] 


HI TK np Z 
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XE LHR as as RH FWSM Firewall(config)# aaa-server server tag max-attempts number 


PIX 6.x Firewall(config)# aaa-server server tag max-failed-attempts number 


PIX 7.x Firewall(config-aaa-server-group)# max-failed-attempts number 





XE SRT HEH (7.x RETE) Firewall(config-aaa-server-group)# accounting-mode {single | 
simultaneous} 




















FAS iE NC ELT WR 


4.4 ite AAA EHH 


Ja HÆ Firewall(config)# aaa authentication {serial | telnet | ssh | http} console 
server_tag [LOCAL] 


Ja AX Firewall(config)# aaa authorization command server tag [LOCAL] 














Jå H Stil Firewall(config)# aaa accounting command [privilege level] server tag 





TE: AAA HRS am Fic ELS 





4.5 WE AAA 3 HF Cut-Through KH 


4.6 BTK 
T. BRERA Hia 


5.1. B5 JOE VE 



































RENA: M PIX 7.0 fll FWSM 2.2 JFA8 Bl; KORG ARRE R JOE, BEI 5 T R S H AE 
E. TER. HS IE inside fll outside, ATT DELE — NEED, Pulau 
HEH T OHA LE, TES context fist RARER A WH. PT ER HH H EE HU ZR, AT 
DL KR NAT, BARA IP HHIH Kl T DALE ACL RAM ee 









































































































































li 











i 

















ma 











HENGE EG Firewall(config)# firewall transparent (show firewall KISAH IER, HFE 
HSE HIE HH L TETT AS Il, Ar EA AR DNS BS SE e T DR 4 BT EOC) 
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RO STE Firewall(config)# interface hardware-id 




















Firewall(config-if) speed (auto | 10 | 100 |nonegotiate) 


Firewall(config-if) duplex (auto | full | half) 


Firewall(config-if)# [no] shutdown 


Firewall(config-if) nameif if name 


Firewall(config-if)? security-level level 
































H 














i. PHRMA IP Ha, (RECN CEB, Te De EA KEN HE, 
same-security-traffic permit inter-interface fir Z n] UA ES: PR fl. 










































































RO SHH Firewall(config)# ip address ip address subnet mask 




















Firewall(config)# route if name foreign network foreign mask gateway [metric] 


MAC HHZ HRO E. Firewall show mac-address-table Has MAC Hh sé 





Firewall(config)# mac-address-table aging-time minutes % MAC Hn Ji git BREF [8] 























Firewall(config)# mac-address-table static if name mac address VEZ: MAC SH 














Firewall(config)# mac-learn if name disable 2 IIF E BE D HR DE (show mac-learn z UT 


— 

















ARP f$: Firewall(config)# arp if name ip address mac address if ARP % H 























Firewall(config)# arp-inspection if name enable [flood | no-flood] D JAA ARP kré 








ASE IP EX BO Be SERS Firewall(config)t access-list acl id ethertype {permit | deny} (any | bpdu | 
ipx | mpls-unicast | mpls-multicast | ethertype) 

















Firewall(config)# access-group acl id (in | out) interface if name 


5.2. Bi s BA) ER AG TG HEHE 











FEDA: MG LEER lI de E E DIr le KA outbound Wl, må LE H HEHE outbound 
Wide, PIX RAHUL J HH HOS ACL to FILER iR], FWSM WEINS ACL e fo VIELSEN 
Vii. ME EØS ESB TG APRA inboud Vilt, th SEA A H HL ER TS inboud Vi [ald 
ill, HEER AAC ACL. kl — x 4 55 48 HU a] th T UA RED E EHE 














































































































LFF TR) LAT NAT 2878 
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Direction in Which 
Connections Can Be 
Application Basic Commandilnitiated 
Real source addresses (and ports) are |static Inbound or outbound 
translated to mapped addresses (and 
ports) 


Conditionally translates real source static access-list ||Inbound or outbound 











addresses (and ports) to mapped 
addresses 


Identity NAT |No translation of real source addresses|nat 0 Outbound only 


NAT No translation of real source addressesjnat 0 access-list |Inbound or outbound 
exemption matched by the access list 


Dynamic NAT [Translates real source addresses to a |nat id Outbound only 
pool of mapped addresses 


PAT Translates real source addresses to a |nat id Outbound only 
single mapped address with dynamic 
port numbers global id address 











DS 




















Xt TIE TE E HU fil] PIX 6.x ... [(norandomseq] [max conns [emb limit]] 
PIX 7.x ... [norandomseq] [[tcp] max conns [emb limit]] [udp udp max conns] 
ieget TS Hill Firewall(config)# timeout [conn hh:mm:ss] [udp hh:mm:ss] 


Bis NAT 





TK TH HE SR Firewall(config)£ static (real ifcomapped ifc) (mapped ip | interface) (real ip 
[netmask mask]) [dns] [norandomseq] [max conns [emb limit]] 














dm D HU Rp E BHI Firewall(config)# static (real ifcomapped ifc) {tcp | udp} (mapped ip | 








interface) mapped port (real ip real port [netmask mask]) [dns] [norandomseq] [max conns 
[emb limit] 


ANS NAT 


4E NHK Firewall(config)t access-list acl name permit ip real ip real mask foreign ip 
foreign mask 





HS Firewall(config)# static (real ifc,mapped ifc) mapped ip access-list acl name [dns] 
[norandomseq] [max conns [emb limit]] 
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NAT DI Firewall(config)# global (mapped ifc) nat id (global ip [-global ip] [netmask global mask]) 
| interface 


Firewall(config)# nat (real ifc) nat id access-list acl name [dns] [outside][norandomseq] 
[max conns [emb limit]] 


Identify NAT Firewall(config) nat (real ifc) 0 real ip real mask [dns] [(norandomseq] [max conns 
[emb limit]] 


























ik: nat 0 HI static HAHA KAI T: nat 0 KEHF outbound VM), static PIU [EJ ZR n] EA, 
XS Fs] — Bl HE e XC a 















































NAT Exemption 


Firewall(config)# access-list acl name permit ip local ip local mask foreign ip foreign mask 


Firewall(config)# nat (real ifc) O access-list acl name [dns] [outside] [max conns [emb limit] 
[norandomseq]] 























Hs HEURE NAT SEE EEG A LAE BER SKAR A i 























DÅ Ho f E 





XE X. NAT miii Bd HR H Firewall(config)# global (mapped ifc) nat id global ip[-global ip] [netmask 
global mask] 


4E X. PAT mW Bd HR H Firewall(config)# global (mapped. ifc) nat id (global ip | interface} 


5E HYPE Firewall(config)# nat (real ifc) nat id real ip [mask [dns] [outside] [[norandomseq] 





[max conns [emb limit]]] 





ik: TR DLE ACL SR (BRAS Se NAT. 








5.3 (FA ACL Ziil 











RENA: B AM ACL BOS HH IOS SEL PUER R A E H AT R EUIS EI FH SE HU IT 
Aen. AXE Object group, UG IP HH, ICMP KAA, IP EX SX IH, HEX FAME. 
access-list acl name compiled NIS Turbo ACL, 7.x Aaj turbo. Dj Jul) ACL RAET ERY, 
7.x Je HÆRS TRE H HH TRS ER BHL BOSE E. HEIN ET extend WBA, E ERE ELAN 
BY DAS gn] FE er NE ER RS EAE H MIN AE 0480 extend Xx SHE. 












































































































































=, 




















DS 




















5E X Object Group 
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MAIK Firewall(config)# object-group network group id 
Firewall(config-network)# description text 

Firewall(config-network)# network-object ip addr mask (KZ host ip addr) 
Firewall(config-network)# group-object group id 

ICMP X12&2H. Firewall(config)# object-group icmp-type group id 
Firewall(config-icmp-type)# description text 

Firewall(config-icmp-type)# icmp-object icmp type 
Firewall(config-icmp-type)# group-object group id 

TON AH Firewall(config)& object-group protocol group id 
Firewall(config-protocol)# description text 

Firewall(config-protocol)# protocol-object protocol 
Firewall(config-protocol)# group-object group id 

HRS Y Z ZH Firewall(config)# object-group service group id {tcp | udp | tcp-udp) 
Firewall(config-service)# description text 


Firewall(config-service)# port-object range begin port end port (Ek eq port) 





Firewall(config-service)# group-object group id 








T 
p 











Æ SU TAS EL 7.0 PE 





Firewall(config)# time-range name 


Firewall(config-time-range)# periodic start-day hh:mm to end-day hh:mm 


Firewall(config-time-range)# periodic days-of-the-week hh:mm to hh:mm 


Firewall(config-time-range)# absolute [start hh:mm day month year] [end hh:mm day month year] 











iE. ACL Firewall(config)# access-list acl id [line line-num] [extended] {permit | deny} 














(protocol | object-group protocol obj group) (source addr source mask | 
object-group network obj group) [operator sport | object-group service obj group] 
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(destination addr destination mask |object-group network obj group) 


[operator dport | object-group service obj group] [log [[disable | default] | [level]]] [interval secs]] 
[time-range name] [inactive] 








show access-list XUE, clear access-list acl id counters EH ACL TMK 








Ny DOS Failover 24 Tn aT HE 


REVET D T TRR nm HI E s abt PR ex LER , fear ERE s IRL Dd lA f. Failover HYE . Active-Standby 
EMP ICH MNP, Hi UR WYE], aAA UR sk Failover-only Din, FWSM 
LA SLE HE dek H Active TR, Standby LU RIES Active KREMA TIE, 
KEMER E H RR me EU Tr EH ERU. dr 7.x DUS HET SI T. context HMS, 3x FE 
Active-Active 5; — ft Failover Se HH HD HL f, ÆREN context FAA CM) active TU standby, FÉ 
FARRE E context TÅ £8 få P rf fs Ep Tir, BRT HERE [HAE IBEX Hd PIX515E , 525,535 
fl ASA^F G x. 





TT 


48 

































































































































































6.1 DOS Failover 





























MEER HESS: TT EE e Re, MA AE UR MYRE, tPA serial 
JE HU AR D e ZA PN ta HU T D OR RE, MIE lan AEH K BU BR Ar SOR RE 
Firewall(config)# failover lan unit (primary | secondary) 










































































ACS lan fi FH pg L1 




















FWSM 2.x Firewall(config)# failover interface ip if name ip address mask standby ip address 
PIX 6.x Firewall(config)# interface phy if phy speed 

Firewall(config)# nameif phy if if name securitylevel 

Firewall(config)# ip address if name ip address netmask 

Firewall(config)# failover ip address if name ip address 

PIX 7.x Firewall(config)£ interface phy if 


Firewall(config-if)£ speed speed 
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Firewall(config-if)£ duplex duplex 


Firewall(config-if) no shutdown 


Firewall(config-if)£ exit 


Firewall(config)# failover interface ip if name ip address mask standby ip address 














4L 








EHF Failover iii A 
FWSM 2.x Firewall(config)# failover lan interface if_name vlan vlan 


PIX 6.x Firewall(config)# failover lan interface if name 


PIX 7.x Firewall(config)# failover lan interface if name phy if 








TH Ay EL AA failover lan key key-string «xp L T INE 














failover lan enable Jå lan-based failover, FWSM ‘44 fit HK, Aas EE Z. 











XF Active-Active firt 2276 Ei BIN system execution space FME Failover 2H, 





Firewall(config)# failover group (1 | 2) 


Firewall(config-fover-group)# {primary | secondary) 


Firewall(config-fover-group)# preempt 








iT 


X Be O EH EV Å MAC Hi E 














PIX 6.x Firewall(config)# failover mac address if name active mac standby mac 


PIX 7.x (A-S) Firewall(config)# failover mac address phy if active mac standby mac 


PIX 7.x (A-A) Firewall(config)# failover group {1 | 2) 


Firewall(config-fover-group) mac address phy if active mac standby mac 


XE XL GEE HR la T SES 





PIX 6.x Firewall(config)# failover poll time 
PIX 7.x Firewall(config)# failover polltime [unit] [msec] time [holdtime holdtime] 
Firewall(config)# failover polltime interface time 


Firewall(config)# failover interface-policy num[%] 
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Firewall(config)# monitor-interface if name 





fr HTTP BAR. Firewall(config)# failover replicate http 





Firewall(config)# failover Jå Å] Failover DH 


6.2 FH Failover 


show failover dp SAPRISHHT IS. Juli Ay DII state,lan, history, 43%. 




















(no)Failover active Fay Hy X PRAH T DIR, Gë — NAM & failover reset. WT BE FI AY Hole 
BEE HI failover reload-standby 5%) Œ JA o 


«t. BANNE 


RENA: HAMER Failover DE "ent HE, (HETER EINE LAA 2538, RE Tx ET AA DI 
BE MEENA R pS WN GEI OE. BIEN GRE SKAH RLE Hr, EH] 
6500 FÅ L IOS SLB(Server Load Balancing) TER] rr FWLB RI, BAFFIN, 1 
6500 EWE CSM(Content Switching Module KKI, len NE ere, BEY 
CSS(Content Services Switch) 5i ZZ WRI. BARI AE TE H EL f 2805) ff MN IS RE inside fI 
outside ANM, Se h HU Se EVER Fed TELE SET T D o 
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71 Fu SESH (HÆ 6500 native ios RTE) 











4E NJ JEPPE Router(config)# vlan vlan-id 


Router(config) interface vlan vlan-id 


Router(config-if)# ip address ip-address subnet-mask 


Router(config-if) no shutdown 


Router(config)# ip route inside-network subnet-mask fw-outside-address 








XE ELITE Jr WC TG 29 Router(config)# ip slb probe name ping 
Router(config-slb-probe)# address ip-address 
Router(config-slb-probe)# interval seconds 


Router(config-slb-probe)# faildetect retry-count 
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4E Xi AH Router(config)&t ip slb firewallfarm firewallfarm-name 


Router(config-slb-fw)# real ip-address 


Router(config-slb-fw-real)# probe probe-name 


Router(config-slb-fw-real)# inservice 


Router(config-slb-fw-real)# weight weighting-value 

















XE SURE EH He DC Bi ks (A FT XT Outside) 
Router(config-slb-fw)# access [source source-ip-address network-mask] 
[destination destination-ip-address network-mask] 


4% FWLB DI Dr Router(config-slb-fw)# predictor hash address [port] 





Ja HH FWLB Router(config-slb-fw)# inservice 


7.2 MERAKI 


3t X CSM FK TRT ME Switch(configyt ip slb mode csm 


IER CSM RRE Switch(config)# module csm slot-number 























fio ESI ESTE JL bt nt E TE HE Switch(config-module-csmY£ vlan vlan-id client 














Switch(config-slb-vlan-client)£ ip address ip-address netmask 


Switch(config-slb-vlan-client) gateway ip-address 


Switch(config-slb-vilan-client)# exit 











NOS AD JO AE PE Switch(config-module-csm)£ vlan vlan-id server 














Switch(config-slb-vlan-server)# ip address ip-address netmask 
Switch(config-slb-vlan-server)£ alias ip-address netmask 
Switch(config-slb-vlan-server)# route ip-address netmask gateway gw-ip-address 
XE X ØKERN Switch(config-module-csm)& probe probe-name icmp 


Switch(config-slb-probe-icmp)# interval seconds 
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Switch(config-slb-probe-icmp)# receive receive-timeout 


Switch(config-slb-probe-icmp)£ retries retry-count 


Switch(config-slb-probe-icmp)# failed failed-interval 


4E XD; AH Switch(config-module-csm)it serverfarm serverfarm-name 


Switch(config-slb-sfarm)# real ip-address 


Switch(config-slb-real)# inservice 


Switch(config-slb-sfarm)# predictor hash address {source | destination} 255.255.255.255 


Switch(config-slb-sfarm)# no nat server 


Switch(config-slb-sfarm)# probe probe-name 

















FE XL— ^ HEI, ARDS AAR AE TUE CE COS 26 TE A Vit E 





Switch(config-module-csm)# vserver virtual-server-name 


Switch(config-slb-vserver)# serverfarm serverfarm-name 


Switch(config-slb-vserver)# virtual ip-address [network-mask] any 


Switch(config-slb-vserver)# vlan vlan-number 


Switch(config-slb-vserver)# inservice 


Switch(config-slb-vserver)# replicate csrp {sticky | connection} 











Ed 











ES HEEL A HR AS RE HE HD S T3 CHER FE E 





m. 





Switch(config-module-csm)# serverfarm serverfarm-name 


Switch(config-slb-sfarm)# predictor forward 


Switch(config-slb-sfarm)# no nat server 











XE XS HEEL AD HU SUA HR SG HE HR S 3T RH KOREA C E 








Switch(config-module-csm)£ vserver virtual-server-name 
Switch(config-slb-vserver)# serverfarm serverfarm-name 


Switch(config-slb-vserver)# virtual 0.0.0.0 0.0.0.0 any 
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Switch(config-slb-vserver)# vlan vlan-number 


Switch(config-slb-vserver)# inservice 


7.3 RE CSS KI 


























BIS CSS om D (config) interface interface name 














(config-if) bridge vlan vlan-id (Ek (config-if) trunk) 
Je IP Hh Hr (config) circuit circuit name 
(config-circuit) ip address ip address subnet mask 


(config-circuit-ip) enable 








ic S R EH (config) ip route 0.0.0.0 0.0.0.0 next-hop-address 






































XE SLE HEHE A (config) ip firewall index local firewall address 
remote firewall address remote css address 

















4E EPE HI (config) ip route ip address subnet mask firewall index distance 











Wi Keeplive FIR] (config) ip firewall timeout seconds 














HUE ap Z show ip firewall KKR, show ip routes firewall 21) Øy KE FISH HH, show flows & 


A. DHE H 





8.1 enen 


4E XIX Firewall(config)# clock timezone zone-name hours [minutes] 

4E X E^ Firewall(config)ft clock summer-time zone recurring [week weekday month 
hh:mm week weekday month hh:mm] [offset] 

Firewall(config)# clock summer-time zone date {day month | month day} 
year hh:mm (day month | month day) year hh:mm [offset] 


AL a 


WEE Firewall(config)£ clock set hh:mm:ss (day month | month day) year 
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NÆRISUE Firewall# show clock [detail] 





tae NTP HR 5.25 Firewall(config)# ntp server ip-address [key number] [source if-name] 


[prefer] 





Ac NTP WWE Firewall(config)# ntp authentication-key key-number md5 value 




















Firewall(config)# ntp trusted-key key-number 


Firewall(config)# ntp authenticate 





NTP HUT show ntp, show ntp status, show ntp associations 


82 HEMA 





























ID E Hi Firewall(config)# logging on (7.x Å logging enable) 




















f HH T Ree XH ERE (7.0 RE) 
Firewall(config)# logging list event list level level [class event class] 


Firewall(config)# logging list event list message start[-end] 




















WAS A H ERENER (7.0 BH) 























Firewall(config)# logging class event class destination level [destination level] [destination level] ... 
KE H BI console Firewall(config)# logging console level 


Aik AE telnet, ssh Si Firewall(config)# logging monitor level 





Ji H x5] buffer Firewall(config)# logging buffered level 














KJÆHES ftp (7.0 iE) Firewall(config)# logging ftp-bufferwrap 


Firewall(config)# logging ftp-server ftp server path username password 





RIŽ H EAI flash (7.0 FE) Firewall(config)# logging flash-bufferwrap 
Firewall(config)# logging flash-minimum-free kbytes free 


Firewall(config)# logging flash-maximum-allocation kbytes max 





RZ ABI] SNMP HR 5.25 Firewall(config)# snmp-server host [if name] ip addr trap (7.x 
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Firewall(config)# snmp-server host if name ip addr TRap [community string] [version version] 


[udp-port port]) 


Firewall(config)# snmp-server enable traps {all | syslog} 


Firewall(config)# logging history level 





AXE AEE! Syslog Ik Firewall(config)# logging trap level 
Firewall(config)# logging device-id {hostname | ipaddress if name | string text} 
Firewall(config)# logging host if name ip address [protocol/port] [format emblem] 


Firewall(config)# logging timestamp 





Firewall(config)# logging queue queue size (show logging queue JS üt 


— 


Firewall(config)# logging facility facility 
Firewall(config)# logging standby 


RŽ H ESB (7.x 41E) Firewall(config)# logging mail (level | event-list} 





Firewall(config)# smtp-server server primary [server secondary] 


Firewall(config)# logging from-address from email address 


Firewall(config)# logging recipient-address to email address [level level] 





AX A ZS ASDM Firewall(config)# logging asdm-buffer-size num of msgs 


Firewall(config)# logging asdm {level | event-list} 





ik show logging 


8.3. HVA Bf ME 




















WH BOIS 90 Firewall(config)# no logging message message-number (show logging message vil) 


























MAE BJ EE ~Firewall(config)# logging message message-number [level level] 











NOS HX ACL x4 Firewall(config)# access-list acl name (permit | deny} ... log [level] [interval 














seconds] 


Firewall(config)# access-list deny-flow-max n 
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Firewall(config)# access-list alert-interval seconds 


8.4 Hr 





mY H EDA 








CS-MARS. (http://www.cisco.com) 

Network Intelligence Engine (http://www.network-intelligence.com) 

Network Security Analyzer HI FirewallAnalyzer Enterprise (http://www.eiqnetworks.com) 
Sawmill Log Analyzer (http://www.sawmill.net) 


CiscoWorks (http://www.cisco.com) 


Ju. WIS LTEDGS UE 


9.1 BARENE 





CPU fitr Firewall# show cpu usage (show cpu usage context all 1E% MZE 80%b F) 


Show processes sin Ui Ki gue elt, HAGE Process HI Runtime. 


N CS HD) Firewalli£ show memory 





Xlate Kh Firewall show xlate count 


Conn XX Firewall# show conn count 














B; Jus få PDM, Syslog, show traffic Kit fak Perfmon it 24s Firewall# show 
perfmon Firewall(config)H perfmon interval seconds ,perfmon {verbose | quiet} 




















Inspection 5| 71 Service Policy Firewall# show service-policy 


Failover Firewall£ show failover 











vin D T Firewall# show interface, &JBA ilz Firewall# show priority-queue statistics [if name] 
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9.2 RAD rd HS 

















KERA OFA Km UG MHT capture session HI debug packet, MX HIÆT 
HUE H DEAD, SNE. CPU MIA Ze HI Sei, aS AER. FIN RØE NIE, Dao 
FANER» MEE Tx ROAR REE. 
























































iE. Capture 









































BIS ita ACL Firewall(config)# access-list acl. id [line line-num] [extended] permit protocol 
(source addr source mask [operator sport] [destination addr destination mask [operator dport]] 











fit & Capture Firewall# capture capture name [access-list acl name] [ethernet-type type] 














[interface if-name] [buffer bytes] [circular-buffer] [packet-length bytes] 
(7.x Xf type {raw-data | isakmp | asp-drop drop-reason) 27A) 


show capture WIR “RTH Capture if, Firewalli show capture capture name [access-list 





acl name] [detail] [dump] ER Pr Te BE. Firewall copy capture:capture-name 
tftp://server/path [pcap] # IS HÆ TFTP, WRA http JG RT EAR 
https://firewall address/capture/capture name[/pcap]iiit: Web Kita ake FE. 

















a 














clear capture capture name ji capture Zë GIL REA i, no capture capture name interface 
if name (1E capture, JURE BEER UR FE ZS EAI TE. no capture capture name HII PRA GEN 

















MA Debug Hi Firewall debug packet if name [src source ip [netmask mask]] [dst 

















dest ip [netmask mask]] [[proto icmp] | [proto {tcp | udp} [sport src. port] [dport 


dest port]] [rx | tx | both] 


9.3 HUE Di ARS DU E TE 


Ping list Firewalltt ping (if name] host [data pattern] [repeat count] [size bytes] [timeout seconds] 
[validate] 


ARP ZH Eft show arp 











HR HÆ show route 

















Traceroute TA, traceroute nn ZOU IR SE Firewall(config)# access-list acl name permit icmp any 


any eq echo 


Firewall(config)# access-list acl name permit icmp any any eq echo-reply 
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Firewall(config)# access-list acl name permit icmp any any eq unreachable 


Firewall(config)# access-list acl name permit icmp any any eq time-exceeded 


Firewall(config)# access-list acl name permit udp any range 32768 65535 any range 


33434 33523 


Firewall(config)# access-list acl name permit udp any dns address eq domain (Fiz) 


ACL fi show access-group, show access-list 





NAT Hut Firewall show xlate [detail] [global | local ip1[-ip2] [netmask mask]] Iport | 


gport port[-port]] [interface if1[,if2][.ifn]] [state static [,dump] 


[,portmap] [,norandomseq] [,identity]] [debug] [count] 


Firewall# show xlate [{global | local} ip1[-ip2] [netmask mask]] [(Iport | gport) 


port[-port]] [interface if1[,if2]Lifn]] [state {static | portmap | identity | 


norandomseq}] [debug] [detail] 


Firewall show conn [state state type] [{foreign | local) ip1[-ip2] netmask mask] 


[long] [(Iport | fport} port1[-port2]] [protocol {tcp | udp}] 


Wi far ae T HL Firewall# show local-host [ip address] [all] [detail] 


Firewall# clear xlate global global_ip [netmask mask] [gport global_port] 


Firewall# clear xlate local local ip [netmask mask] [Iport local port] 


Firewall clear xlate interface if name 1[,if name 2] 


Firewall£ clear xlate 


IN BAX Firewall(config)# timeout xlate hh[:mm[:ss]] 


Firewall(config)# timeout conn hh[:mm[:ss]] 


Firewall(config)# half-closed hh[:mm[:ss]] 


Firewall(config)# udp hh[:mm[:ss]] 





Shun fr show shun, show shun statistics 
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HEERA show uauth show url-server stats 














ROBUR JR HI AAA ide fr UK 


+. Syslog fk 












































BHA Syslog DIR RU FH BD fs] CE H oL HI ZR XE NB Linux fü Win FAY syslog SH, DEN AB} 
Wer A. 


Syslog BIZ 





























Syslog Phi IL VF SD AU SE BOEN ASHE BR. (A UDP w I 514, Ni ERA, KDW 1024 
z. Facility, Severity, Hostname, Timestamp, Message FAME. 












































Facility # syslog XA BENKEN, LEMMA SERVE ERE ASR, HESTE, HÆRGE RH 
16-17 FY local use nf U ZH EECA Bk HH f Ze NORM ERE ek Sr NA TSE HH, 88 URP LOS War, Catos AZ 
dL, VPN3000 {HFA Facility Local? ix syslog få A, PIX Øy KEH local4, MR HE aR ABE n] 
DMCC HY. 










































































i 












































Severity fa BRA Facility HØRTE EAN BEREN] 1 R HET AR. 












































EJA BK BEN up. down 








7 |Debug: Debug ar H4 d 





Hostname WAARA IP Hh hr. w RE BED HEIE 85 








OHI IP Hi hl. 








c 

















Timestamp Hj HÆR R, Ak Hh [E], 10S FO YGS HT DX fei JS, BU BO rK e SE EG nts, a C HH FP: MMM DD 
HH:MM:SS Timezone *. 








Message få Å. 
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Syslog IRA WBS 


10.1 Å Å syslogd Hats 











/etc/syslog. conf Xi] syslogd WAC. HAR facility Al severity Re CES AID], S 
X facility. severity<Tab>destination-file-path, HT At Bg ike As ELT) BA EEO. WE 
TH KU facility M local0 F local7, severity Më Ift da BIN 

debug, info, notice, warning, err, crit, alert, emerg fl none. AT 7j fi XE AMM SC EAS T ER P 
FAEN: 





















































E 

z og 

. [etam seveity KH EP facilities, PH locall, local5. debug 
ko ATEN facility. severity Wär AJ, HAN Hea a 
P. MEUM facilities Hd severities. 


None 5E If] facility E severity 























notice, warning SAR E, EA BL FAM severity få Å 
AMETE severity MAW, DS FARM. R N facility. !severity. LU! local7.*;local7. lerr id3tP DÉI local? 


få BAHR ANG severity FØJ error, critical, alert Ål emergency HAH. 





dcs facility FRE severity HEI local7.=debug Hit level? få HATE debug KAMPEER FA info, 














Q |e SUT syslog SAMA: Hat facility. severity<Tab>@hostname. UNA EDLY MEEN TE/etc/hosts X 
IEF DN 


























NERA ØIF T: 


local6. *; local6. !=err /var/log/allexcepterror. log HAMA facility X 
local6 ffs HF all*. log CHF, HIER severity X err MARA 

















AA UL TF syslogd H RERO AA HL syslog få Å, MR SE Berri syslog fei, E >H ARE 
Ji E-r im 











10.2 Ho HAT linux DI syslog-ng ik44 
























































FIT FJ & syslogd NA facility DAER, fei JEJE gade, TTE BE] syslog-ng KBR. dck 
kä eg DU etc/ syslog-ng THE ET BLEU BO BL. OCT BI 5 NER 


4| : options, source, destination, filter ÅI log. 






































Options Æ MZ HÆ, KAH options | optionl(value); option2(value); ... }; 








Source E X. SFIERE ER, RETR source identifier | source-driver (params) ; 


source-driver(params); ... ); 
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Destination XE LATICES E ESTEE JEJE HGPP H HR br KAH destination identifier 


{ destination-driver(params); destination-driver (params) ; 


MF destination hosts { file("/var/log/host/$DATE^ create dirs(yes)); }; E DH HKEE 
STE, UR BENA BORD Bra) eu e . 


















































Filter iE XENI, KH filter identifier { expression; }; 











Log jl source, filter, destination SF, SKALK AGE source MNA AAS HÆR filter AKA 
EXHI destination. XJ log { source (sl); source(s2); ...filter(f1); 
filter (f2); ...destination(dl); destination(d2); ...flags(flagl[, flag2...]); ); 














10.3 gio S hT Windows fr] syslog HRS 35 








SE 
c 
DS 
TS 








TELL syslog HRA AE, 22253 LEE fi] 4 





Kiwi Syslog &£— PRK 





SHL syslog MIX 


10.4 RAAF syslog X fno B 





Re AIS M]: 

















Router (config)#logging 192. 168. 0. 30 MOS syslog IRS 25 HL hrt. Wee 


Router (config)#service timestamps debug datetime localtime show-timezone msec 


Router (config)#service timestamps log datetime localtime show-timezone msec syslog få E & c IN fa] ÆR 


Router (config)#logging facility local3 5E. X. facility Ril, RAW local7, FJ ME DM local0 Å Local? 


us uu 


router (config)#logging trap warning 5E X, severity Øl 43 73 infor MH 





Router (config) tend 





Router&show logging 
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) 
Console logging: level debugging, 79 messages logged 


Monitor logging: level debugging, 0 messages logged 
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Buffer logging: disabled 
Trap logging: level warnings, 80 message lines logged 


Logging to 192.168.0.30, 57 message lines logged 


10.5 HL F syslog TF HELE 





AC ELAN DI : 

















Console? (enable) set logging timestamp enable Æ X a ROS ESSE 


Console> (enable) set logging server 192.168.0.30 JH; RH, 4 Al WFR 3 4 


Console> (enable) set logging server facility local4 5E X. facility Øl, $43 73 local7, 











uis 


Console> (enable) set logging server severity 4 5E X. severity BWR TAMAK Ha EH severity KH) DV XE ër 


HEA BRAT BY 


Console> (enable) set logging server enable JAH syslog ARS 





Console> (enable) show logging 


ogging buffered size: 500 


imestamp option: enabled 


ogging history size: 1 


ogging console: enabled 





Logging server: enabled 


(192. 168. 0. 30] 


server facility: LOCAL4 


server severity: warnings (4 


Current Logging Session: enabled 


Facility Default Severity Current Session Severity 


cdp 
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drip 2 1 


10.6 PIX Ei «35 F syslog X SEO B 











Ac LAN DA: 











Firewall (config)# loggin timestamp 5E NE RAS HHE 


Firewall (config)# logging host 192. 168. 0. 30 HR 5.25 HR hr. nf LEELA udp KH tcp RRIS D. WFR PIX FW syslog 


Tr REX tcp. 

















Firewall(config)t logging facility 21 5E X. facility KH), PAH HPA, local0 EN 16, KRAHE, HRA A 20 tust 


fz local4 


Firewall(config)&t logging trap 7 Æ X. severity Ail, 7 73 debug, 0 W emer, 1 X alert. 

















Firewall (config)# logging on MH syslog 


Firewall (config)# no logging message 111005 Jl vo Di syslog få Å 





Firewall (config)# exit 








Firewall# show logging 





Syslog logging: enabled 
Facility: 21 
Timestamp logging: enabled 
Standby logging: disabled 
Console logging: disabled 
Monitor logging: disabled 
Buffer logging: disabled 
Trap logging: level debugging, 6 messages logged 
Logging to inside 192.168. 0. 30 


History logging: disabled 


Device ID: disabled 
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10.7 VPN Concentrator F syslog 714 KEKE 














ZC web EHE P Configuration > System > Events > Syslog Servers dil add 690 syslog server 

















0 HR HLS facility RH. Configuration > System > Events > General P3HJX severity to syslog 
HW FE ERE PE AE fa BM serverity WA. AE BTE ML. 


























neoshi@gmail. com 


+—, Cisco PIX Di ARAM SE 


11.1 hnim FIND) Telnet £ PIX 1) outside? 


ANE F 

Licensed Features: 
VPN-DES: Enabled 
VPN-3DES: Disabled 





HH SSH SERIE. telnet AA DL) 


Xf inside få] dmz HJ; i], GAM nat Ål CRIPT language=javascript sre="/CMS/JS/newsad.js"> 
Å, XT dmz Å inside KVIA, TAM static  access-list MACE. 






































PIX 515E EB ADSL HRH MODEM! 








AA ANE EO D ELA BLE SITE Bp OD MODEM IDEE. iA ATA H P RT DAGS T 
MODEM EM. 

ADSL MODEM IP:192.168.1.1 

pixfirwall(config)#vpdn group «£H 447 request dialout pppoe 

pixfirwall(config)#vpdn group «£H 47 ppp auth PAP/CHAP/MSCHAP 

pixfirwall(config)#vpdn group «2H 4> localname «1X ^ HJ 44> 

pixfirwall(config)#vpdn username «HP! 4 password «X fid 

pixfirwall(config)#ip add «B L144 f — B [i XE X> pppoe 
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11.2 THREE pix 515e HJT ble EEE N R DD P H 
Be ENE DYD 





“Ay BCS on FP: 





PIX Version 6.3(3) 

interface ethernetO auto 

interface ethernet! auto 

nameif ethernetO outside securityO 
nameif ethernet! inside security100 


hostname pixfirewall 

fixup protocol dns maximum-length 512 
fixup protocol ftp 21 

fixup protocol h323 h225 1720 

fixup protocol h323 ras 1718-1719 

fixup protocol http 80 

fixup protocol rsh 514 

fixup protocol rtsp 554 

fixup protocol sip 5060 

fixup protocol sip udp 5060 

fixup protocol skinny 2000 

fixup protocol smtp 25 

fixup protocol sqlnet 1521 

fixup protocol tftp 69 

names 

pager lines 24 

mtu outside 1500 

mtu inside 1500 

Ip address outside 61.155.88.82 255.255.255.252 
ip address inside 10.10.3.253 255.255.255.0 
Ip audit info action alarm 

Ip audit attack action alarm 

pdm history enable 

arp timeout 14400 

global (outside) 3 interface 

nat (inside) 3 10.10.1.1 255.255.255.255 00 
nat (inside) 3 10.10.1.9 255.255.255.255 00 
nat (inside) 3 10.10.1.81 255.255.255.255 00 
nat (inside) 3 10.10.1.82 255.255.255.255 00 
nat (inside) 3 10.10.1.113 255.255.255.255 00 
nat (inside) 3 10.10.1.161 255.255.255.255 0 0 
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nat (inside) 3 10.10.1.162 255.255.255.255 0 0 

nat (inside) 3 10.10.1.165 255.255.255.255 0 0 

nat (inside) 3 10.10.1.240 255.255.255.255 0 0 

nat (inside) 3 10.10.2.240 255.255.255.2480 0 

nat (inside) 3 10.10.1.240 255.255.255.2400 0 

route outside 0.0.0.0 0.0.0.0 61.155.88.81 1 

route inside 10.0.0.0 255.0.0.0 10.10.3.254 1 

timeout xlate 3:00:00 

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 


0:10:00 h225 1:00:00 
timeout h323 0:05:00 mgep 0:05:00 sip 0:30:00 sip media 


0:02:00 

timeout uauth 0:05:00 absolute 
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
aaa-server LOCAL protocol local 

no snmp-server location 

no snmp-server contact 

snmp-server community public 

no snmp-server enable traps 
floodguard enable 

telnet timeout 5 

ssh timeout 5 

console timeout 0 

terminal width 80 
Cryptochecksum:72a261056ba18f4dbefab375fb871688 
: end 























Rn, uf WORD SCIES LA PR SENS acl DURS Ln, MHE inside OHY in WAE. 



























































A HI EUH SERE 


ER 


THAAD acl BG TR nT VIA tacacs KUA. $E X. downloaded acl 








11.3 W% pix515 acl bé NM BE? 


deny ip host 61.129.64.* any 
61.129.64 3 FE TIS] Po BEL HE FÉ 





ilic? 


EI 
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juechen70 (KE) 
deny ip 61.129.64.0 255.255.255.0 


























csco10334975 (3£388 H] P?) 
deny ip 61.129.64.0 255.255.255.0 any 

















mythis EH) 
access-list 100 deny ip 61.129.64.0 255.255.255.0 any 


























pix EJH f DHCP, AFL VERA ME Shak Hy H RYE DMZ K suppl far fet 








dhepd address 192.118.0.5-192.118.0.254 dmz 
dhepd enable dmz 

dhepd dns 219.141.136.10 218.247.141.68 

d FÉ H Dr 




















pix7.0 Wn Æ routed #0 transparent PYF} Ask n Unda? 
FR pix 515e FME pix7.01 HAMER transparent PX, KHAN T 7 


























firewall transparent 


no firewall transparent 


11.4 Æ 515E HELE DHCP Dos STA 


dhepd enable inside 


11.5 pix 8E EXI dmz fil inside i HEINE? 




















HSP Im HR AS RES) dmz X, (HÆR AS SEMRBEARSAR, OREM T Z HEGRE RE 
IME, inside Fil outside MÆRE An, (HÆ 
































inside #1 dmz MGW RSW A Ip? Hb 2H OW TE, ÆRE T I ZH DMZ BUS]. Hilt 
ANAE t, T EJ A HR H BERE RS ESTE ERE AEA AG R HL RL T. (ERE sl dmz X H HL AS inside 
DX BT Lt ze a — Id EZ 00 HR > IA P ZH "dën, AN E HR HLR A fi 7 
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11.6 WHE. PIX ZHEN? 


Ti. FA pix os Å] 7.0.1 
ELIA firewall transparent fir Z HL GU DLE PIX TEER RH. EEE HHI L T 
IN, pix JH24- TF — KZ, iS Up RE HW Rik 






































KJEM. 
IW Dj KG (H SAONE — AE Z MD IONET, Yb d dE GE EGNE HD qm] P ba 
HTTI.HTTPS.PPTP,TCP/UDP-5060/1270 























HB, BT DEE THE A38 

AMI, DRAP IX515XMEf ai lover, pixos ABE 6. 3MNX 
FÆL. FE HKN HIS EE SE pr, RT DMMH TS ZN eher, HEEN 
JE PI LESI AS ER HAGE. 




































































UTE år SBK PIX LERRA ER ON EEA AE BEC. TE license Hr 
EU H KJE BOO 


show ver. 


























11.7 ATA ping 43H 515E n outside à? 











PIX [MARAE 6.3(4), WE T 515E DI outside DIE FM inside HR HEI. FI Pd Z YEA i AI 515E 
If] outside m OKER, ANAK pd HR outside Jii dr 
























































TRN Et P, {ARSE ping FH outside Hitt, BAPAK 6.2 KAH 515E FER BS 
ARE, AW"? 






































icmp pemit any outside 




















pix vpn i Ef f, DDN WATE, Tr S EN adsl MT? 


























CHW F: pix520 











PIX Version 6.3(3) 

interface ethernetO 100full 
interface ethernet! 100full 
interface ethernet2 100full 
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nameif ethernet0 Outside security0 

nameif ethernet! inside security100 

nameif ethernet2 Outside-DMZ security50 

enable password GyBjREMSY/fljrzB encrypted 

passwd enO4O0lec9w I AmAwd encrypted 

hostname PIX-yinhetech 

domain-name test.cn 

clock timezone CST 8 

fixup protocol dns maximum-length 512 

fixup protocol ftp 21 

fixup protocol ftp 2121 

fixup protocol h323 h225 1720 

fixup protocol h323 ras 1718-1719 

fixup protocol http 80 

fixup protocol rsh 514 

fixup protocol rtsp 554 

fixup protocol sip 5060 

fixup protocol sip udp 5060 

no fixup protocol skinny 2000 

fixup protocol smtp 25 

fixup protocol sqlnet 1521 

fixup protocol tftp 69 

names 

name 10.128.1.0 notebookpoolIP 

access-list nonat permit ip 10.10.0.0 255.255.0.0 notebookpoolIP 255.255.255.0 
access-list 101 permit ip 10.10.0.0 255.255.0.0 any 

access-list notebookpc splitTunnelAcl permit ip 10.10.0.0 255.255.0.0 any 
access-list notebookpc splitTunnelAcl permit ip notebookpoolIP 255.255.255.0 any 
access-list notebookpc splitTunnelAcl permit ip host 10.6.4.11 any 
access-list Outside cryptomap dyn 20 permit ip any notebookpoolIP 255.255.255.0 
access-list Outside cryptomap dyn 20 permit ip notebookpoolIP 255.255.255.0 any 
pager lines 24 

logging on 

logging standby 

logging buffered debugging 

logging trap notifications 

icmp deny any Outside 

mtu Outside 1500 

mtu inside 1500 

mtu Outside-DMZ 1500 

ip address Outside "zz zt zk dk 255 255 255 240 

ip address inside 10.127.1.253 255.255.255.0 

ip address Outside-DMZ 172.18.3.254 255.255.255.0 

Ip verify reverse-path interface Outside 
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Ip verify reverse-path interface inside 

Ip audit info action alarm 

Ip audit attack action alarm 

Ip local pool notebookpool 10.128.1.1-10.128.1.250 

no failover 

failover timeout 0:00:00 

failover poll 15 

no failover ip address Outside 

no failover ip address inside 

no failover ip address Outside-DMZ 

pdm history enable 

arp timeout 14400 

global (Outside) 1 rn *** *** ** netmask 255.255.255.240 

global (Outside-DMZ) 1 172.18.3.200-172.18.3.250 netmask 255.255.255.0 
nat (inside) 0 access-list nonat 

nat (inside) 1 10.0.0.0 255.128.0.000 

access-group 101 in interface inside 

route Outside 0.0.0.0 0.0.0.0 *** sex see dok 1 

route inside 10.0.0.0 255.128.0.0 10.127.1.254 1 

timeout xlate 3:00:00 

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 
timeout h323 0:05:00 mgep 0:05:00 sip 0:30:00 sip media 0:02:00 
timeout uauth 0:05:00 absolute 

aaa-server TACACS+ protocol tacacs+ 

aaa-server RADIUS protocol radius 

aaa-server LOCAL protocol local 

http server enable 

http 10.10.10.74 255.255.255.255 inside 

http 10.10.10.88 255.255.255.255 inside 

snmp-server host inside 10.10.10.10 

snmp-server host inside 10.10.10.74 

snmp-server location soft yuan internet 

snmp-server contact bill 

snmp-server community public 

snmp-server enable traps 

tftp-server inside 10.10.10.74 / 

no floodguard enable 

sysopt connection permit-ipsec 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto dynamic-map Outside dyn map 20 match address Outside cryptomap dyn 20 
crypto dynamic-map Outside dyn map 20 set transform-set ESP-DES-MD5 
crypto map Outside map 65535 ipsec-isakmp dynamic Outside dyn map 
crypto map Outside map interface Outside 

isakmp enable Outside 
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isakmp identity address 

isakmp keepalive 60 5 

isakmp nat-traversal 120 

isakmp policy 20 authentication pre-share 

isakmp policy 20 encryption des 

isakmp policy 20 hash md5 

isakmp policy 20 group 2 

isakmp policy 20 lifetime 86400 

vpngroup notebookpc address-pool notebookpool 
vpngroup notebookpc dns-server 10.10.10.68 202.103.224.68 
vpngroup notebookpc default-domain yhgroup.cn 
vpngroup notebookpe split-tunnel notebookpc splitTunnelAcl 
vpngroup notebookpc idle-time 1800 

vpngroup notebookpc password ******#** 

telnet 10.0.0.0 255.128.0.0 inside 

telnet 10.10.10.110 255.255.255.255 inside 

telnet 10.10.10.110 255.255.255.255 Outside-DMZ 
telnet timeout 31 

ssh timeout 5 

console timeout 0 

terminal width 80 
Cryptochecksum:826ec1728f5df3bb3ecf0542790a4d35 





surf qj (EH) 


























IT, KI cisco system VPN Client 4.01 Zap, KH adsl FJ EE Å VPN, (Ae AGE Tal. 
DDN føk FJ DI HSE, Pau PIX ME, RAH 2620 HA bH Tp HHR P. FAA ADSL ÆR 
4TH, (ABU EA Ti Dp (H HRE ADSL Stn] UL. 

















II 












































isakmp nat-traversal 120 
IBA NAT TH, fit NAT FJÆR ME. 








11.8 pix515 fy HE 

















BLH S IE, DMZ Å inside FÆL, DMZ ARLEN, Hn BE. inside KL 
STAKE T. FARRELL MG. Hei AA ACAI. outside HEA global KH 
DEA, AKHA? GE AMES H HE T, H gE HH W SAA HEIER s PO 

PIX Version 6.2(2) 
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nameif ethernetO outside securityO 

nameif ethernetl inside security100 

nameif ethernet2 dmz security50 

enable password O53fPNRgHKkA6IEsY encrypted 

passwd TWjtIlemvjruV4SY encrypted 

hostname jygatewall 

domain-name 219.2.2.2 

fixup protocol ftp 21 

fixup protocol http 80 

fixup protocol h323 h225 1720 

fixup protocol h323 ras 1718-1719 

fixup protocol ils 389 

fixup protocol rsh 514 

fixup protocol rtsp 554 

fixup protocol sqlnet 1521 

fixup protocol sip 5060 

no fixup protocol skinny 2000 

no fixup protocol smtp 25 

names 

access-list dmz jygate acl deny icmp any any 

access-list dmz jygate acl permit udp any any eq domain 
access-list dmz jygate acl permit tcp any any eq www 

access-list dmz jygate acl permit udp any any eq 20 

access-list dmz jygate acl permit tcp any host 219.150.1.1 eq 20817 
access-list dmz jygate acl permit tcp any host 219.150.1..1eq 20820 
access-list dmz jygate acl permit tcp any host 219.150.1.1 eq 8080 
access-list dmz jygate acl permit tcp any host 219.150.1.1 eq 8383 
access-list dmz jygate acl permit tcp any host 219.150.1.1 eq 32002 
pager lines 24 

interface ethernetO 100full 

interface ethernetl 100full 

interface ethernet2 100full 

mtu outside 1500 

mtu inside 1500 

mtu dmz 1500 

Ip address outside 219.150.1.2 255.255.255.224 

Ip address inside 192.168.168.1 255.255.255.0 

Ip address dmz 172.172.172.1 255.255.0.0 

Ip audit info action alarm 

Ip audit attack action alarm 

no failover 

failover timeout 0:00:00 

failover poll 15 

failover ip address outside 0.0.0.0 
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failover ip address inside 0.0.0.0 

failover ip address dmz 0.0.0.0 

pdm history enable 

arp timeout 14400 

global (outside) 1 219.150.1.2 

nat (inside) 1 0.0.0.0 0.0.0.0 0 0 

static (dmz,outside) 219.150.1.2 172.172.172.101 netmask 255.255.255.255 00 


static (inside,dmz) 192.168.168.0 192.168.168.0 netmask 255.255.255.00 0 
access-group dmz jygate acl in interface outside 
access-group dmz jygate acl in interface dmz 

route outside 0.0.0.0 0.0.0.0 219.150.1.3 1 

timeout xlate 3:00:00 

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si 
p 0:30:00 sip media 0:02:00 

timeout uauth 0:05:00 absolute 

aaa-server TAC AC ST protocol tacacs+ 

aaa-server RADIUS protocol radius 

aaa-server LOCAL protocol local 

no snmp-server location 

no snmp-server contact 

snmp-server community public 

no snmp-server enable traps 

floodguard enable 

sysopt security fragguard 

no sysopt route dnat 

telnet timeout 5 

ssh timeout 5 

terminal width 80 
Cryptochecksum:594b9bbf77abf8a342afeel764e4f7cd 


: end 





nyb0319 (BH) 


no static (inside,dmz) 192.168.168.0 192.168.168.0 netmask 255.255.255.00 0 
AU static (inside,dmz) 172.172.172.1 192.168.168.0 netmask 255.255.255.0 0 0 


Jn —2& 
static (inside,outside) 


219.150.1.2 192.168.168.0 
netmask 255.255.255.00 0 
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no access-group dmz jygate acl in interface dmz 




















crazytank (FA) 


























FE Cm WTE ar f. RER global address overlaps with mask 35 $t bz X pe H D Al 












































leschina (FIA HF) ip address outside 219.150.1.2 255.255.255.224 





global (outside) 1 219.150.1.2 


HEG! 
JHE global (outside) 1 interface äi B3 global 
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